A tool to extract any files/directories/ADSs directly from NTFS image files.

ntfsdump can be invoked from the shell or run from a Python script.

$ ntfsdump {{query}} --output-path {{output_dir}} /path/to/imagefile.raw

from ntfsdump import ntfsdump

# imagefile_path: str
# output_path: str
# target_queries: List[str]
# volume_num: Optional[int] = None
# file_type: Literal['raw', 'e01', 'vhd', 'vhdx', 'vmdk'] = 'raw'

ntfsdump(
    imagefile_path='./path/to/your/imagefile.raw',
    output_path='./path/to/output/directory',
    target_queries=['/Windows/System32/winevt/Logs'],
    volume_num=2,
    file_type='raw'
)

This tool searches and extracts file/directory/ADS path with regular expression queries.
Paths are separated by slashes(Unix/Linux-Style), not backslashes(Windows-Style).

e.g.

Original Path: C:\$MFT
Query: /$MFT

Original Path: C:\$Extend\$UsnJrnl\$J
Query: /$Extend/$UsnJrnl/$J

Original Path: C:\Windows\System32\winevt\Logs
Query: /Windows/System32/winevt/Logs

Queries will be expanded in the future. If you have any questions, please submit an issue.

The target path can be either alone or in a directory. In the case of a directory, it dumps the lower files recursively.

$ ntfsdump /Windows/System32/winevt/Logs -o ./dump ./path/to/your/imagefile.raw

extracting from E01 image (included splited-E01).

$ ls
imagefile.E01
imagefile.E02
imagefile.E03
imagefile.E04
imagefile.E05

$ ntfsdump /Windows/System32/winevt/Logs --type=e01 -o ./dump ./path/to/your/imagefile.E01

https://github.com/sumeshi/ntfsfind

$ ntfsfind '.*\.evtx' ./path/to/your/imagefile.raw | ntfsdump ./path/to/your/imagefile.raw

--help, -h:
    show help message and exit.

--version, -v:
    show program's version number and exit.

--quiet, -q:
    flat to suppress standard output.

--nolog:
    flag to no logs are output.

--volume-num, -n:
    NTFS volume number (default: autodetect).

--type, -t:
    Image file format (default: raw(dd-format)).
    (raw|e01|vhd|vhdx|vmdk) are supported.

--output-path, -o:
    Output directory or file path.

    If the target Path is a directory, the directory specified by --output-path is created and the target files is dump under it.

    Otherwise, the file is dumped with the file name specified in the --output-path.)

The image file to be processed must meet the following conditions.

• File format is raw, e01, vhd, vhdx, or vmdk.
• NT file system(NTFS)
• GUID partition table(GPT)

Additional file formats will be added in the future.
If you have any questions, please submit an issue.

ntfsdump outputs logs in the following format.
By default, it outputs the files to the current directory, but if you do not need them, please use the --nolog option.

- ntfsdump v{{version}} - 
2022-01-01T00:00:00.000000: [{{EventName}}] {{Description}}
2022-01-01T00:00:00.000000: [{{EventName}}] {{Description}}
2022-01-01T00:00:00.000000: [{{EventName}}] {{Description}}
...

$ pip install ntfsdump

https://hub.docker.com/r/sumeshi/ntfsdump

$ docker run --rm -v $(pwd):/app -t sumeshi/ntfsdump:latest '/$MFT' /app/sample.raw

The source code for ntfsdump is hosted at GitHub, and you may download, fork, and review it from this repository(https://github.com/sumeshi/ntfsdump).

Please report issues and feature requests. 🍣 🍣 🍣

ntfsdump is released under the LGPLv3+ License.

Powered by following libraries.

• pytsk3
• libewf
• libvhdi
• libvmdk
• ntfs-samples